Wednesday, October 18, 2006

VoMM: Taking Browser Exploits to the Next Level

Scared of browser exploits? Good.

Now prepare to be down right frightened of browser exploits.

Enter VoMM (eVade o’ Matic Module).








VoMM is a Metasploit module developed by LMH and Aviv Raff that cloaks browser exploits using multiple techniques and make them almost undetectable to common static signature-based detection systems. This includes many AV scanners and most IDS/IPS systems.

The most relevant techniques being deployed:
  • White-space randomization (using whitespace, tabs, etc).
  • String obfuscation and encoding.
  • Random comments: placement and manipulation of existing ones.
  • Block randomization.
  • Variables and functions names randomization.
  • Integer and misc. variables obfuscation.
  • Function pointer reassignment.

Check out LMH's blog entry for the rundown on each technique. Gregg Keizer released a TechWeb article yesterday on VoMM as well.

HD Moore used several of these tricks when he created the VML exploit for Metasploit. When it was released, Moore's exploit was undetected by all 26 virus scanning engines supported by VirusTotal, which include Grisoft's, McAfee's, Microsoft's, Symantec's, Kaspersky's, and others.

Moral of the Story - Patch'em if you got'em and do it as soon as possible. Most corporations slowly roll out patches to minimize possible damage and because they feel protected by other mitigation factors. Those "defense in depth" protection layers are shrinking and in some cases, being totally bypassed.

2 comments:

  1. Thankfully, at least one IPS vendor has been aware of these evasions for some time, and employ some tricks to catch the evasions themselves. So, all is not lost for network-based javascript exploit detection. :)

    ReplyDelete
  2. Tod, is that a shameless plug? ;)

    I wouldn't be shocked if you guys were already aware of these tricks.

    I need to make those AHA meetings. lol

    ReplyDelete